gurcu | 5188c69bd772ebe6ca8b34e8c08eec90f63ffcf1d6ab20287e074732da21076a | Triage

Submit
Reports

Overview

overview

Static

static

3

jet/jet.exe

windows7-x64

7

jet/jet.exe

windows10-2004-x64

7

jet/loader.exe

windows7-x64

7

jet/loader.exe

windows10-2004-x64

Sharing

General

Target

jet.zip
Size

112.6MB
Sample

240715-kzhyts1flf
MD5

de779c3b4e36d82762dfc61ce9c9bbf2
SHA1

6fbd58a60b3095ac4be7700006237ca9a3f5772e
SHA256

5188c69bd772ebe6ca8b34e8c08eec90f63ffcf1d6ab20287e074732da21076a
SHA512

71f857ae4bd5565654c1b4bb049e082d0f4a7d0fa8cb2d789581a35b9cc956f6855f295fb65156721e95c20af6291e2a735067647ed46d46e7f9def021546948
SSDEEP

3145728:HtfPhRs9D5Zi+mHm47bSZvkG5MQbZ+mSUvh044h:HtfPnsLZi+mHm4XSZ35MAB044

Score

10^/10

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

jet/jet.exe

Resource

win7-20240705-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

jet/jet.exe

Resource

win10v2004-20240709-en

windows10-2004-x64

2 signatures

150 seconds

Behavioral task

behavioral3

Sample

jet/loader.exe

Resource

win7-20240704-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral4

Sample

jet/loader.exe

Resource

win10v2004-20240709-en

gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

windows10-2004-x64

37 signatures

150 seconds

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  jet/jet.exe
- Size
  
  34.2MB
- MD5
  
  5e06053d551d8d4030796d1f962aba92
- SHA1
  
  6cf2351a65be0515dc1392b59902774f476c36e8
- SHA256
  
  1ed92d4e3caae52e8b39dbe22d031c4a057355befa038045ebc7383e1da1f9b9
- SHA512
  
  9ecc16aa0c0e8ed6d817b701e86a6db320c7167d399349bd97f109dfade95d6ee3f786dd4b2004e0e396a090fb509633aea6bbe46065853a3abf42f3c2782bee
- SSDEEP
  
  786432:VuXHiRyc0PacOHzeMKVxzx5cfOHzeMKVxzx5cU5FRA3L:VuXHLc0PacOHzDCd5cfOHzDCd5cUzRO
Score

7^/10
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  jet/loader.exe
- Size
  
  39.3MB
- MD5
  
  cb5900d8c99b9b2b8391c5e07de93048
- SHA1
  
  21434e75d38c698a924a28a39498f230ba1e23f2
- SHA256
  
  53d60f5a2e65c6aae90eb6e9f872cd381fc152f33e8227bef5fe27d61e09ceb3
- SHA512
  
  148be276c6a8b98971c975c27a7b4d27146667b80447198d09777131b2dd5511de51db3ded5b3d04b72a85f12f772792e0590427c3cbceb2b1d9b5420d9d205d
- SSDEEP
  
  786432:vp039FS+ab44n6ASQSc6k00CZcKoTMS4n4BgmpHvT6CKrftQKN:vps9Fnab4+6DQSc6JUCSC4hH2CKLtQK
Score

10^/10

upx gurcu milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Contacts a large (1135) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Network Service Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

gurcumilleniumratdiscoveryevasionexecutionpersistencepyinstallerratspywarestealerupx

© 2018-2024

Terms | Privacy